Make sure that the JWT comes from the cookies

Question

Make sure that the JWT comes from the cookies

Closed this issue a year ago · 1 comments

This will make sure that the token isn't stored in the browser's localStorage and thus be exposed to the outside world. By having the cookie be httponly, we will also restrict the JS code from accessing it.

We could/should replace our semi-custom JWT implementation by https://indominusbyte.github.io/fastapi-jwt-auth/usage/jwt-in-cookies/

This will also make sure that the client can authenticate transparently, as the backend will answer with a set-cookie HTTP Response header.

Answer 1 · 2023-07-04T18:52:00.000Z

Also https://website.simplx.fr/blog/2016/09/27/authentification-api-via-jwt-et-cookies/ is a good explanation as to why storing JWT in http-only cookies is a secure option.